The Data Protection Act 1988 and 2003
People are exchanging, sharing and using data every day. Data, meaning information that can be processed automatically or manually. When it comes to Personal Data which is data relating to a human being who can be identified from the data, Data Protection becomes very important.
”The Data Protection Act 1988 and 2003 confer rights on individuals as well as placing responsibilities on those persons processing personal data.”
Data Subject or also called Data Receiver is a living individual to whom personal data relates. Data Protection Acts provide Subjects with certain rights, to enable them to check what data relating to themselves is being held and how or where it is used.
The rights of data subjects
•The right to establish the existence of personal data
•The right of access
•The right of objection
•The right of rectification
The rights come with responsibilities, it is not given to data subjects that they could make enquiries out of just simply being curious. Rather so that they can check what data is being processed on them and whether it is correct.
Ways for Data Subject to ensure rights
•Tick boxes online (to choose whether your information can be used for any other purpose)
•Unsubscribe (from notifications, information/offer e-mails etc.)
•Read term and conditions, when setting up accounts online
•Avoid to send e-mails containing confidential information
Data Controller is the one who controls the content of personal data. It can be a legal entity like government department or a company, or an individual say, sole trader or a General Practitioner. Data Controllers are recognised in the Data Protection Acts 1988 and 2003 as having certain responsibilities imposed on them by law.
The responsibilities of Data Controller
•Ensuring that data is obtained lawfully
•That it is used for the purpose
•That it is kept safe and secure
•It is accurate and up to date
•That it is relevant
•That it is not disclosed or used for unlawful purposes
•That it is not stored longer than necessary and provided to the subject on request
All data controllers must comply with the rules/ responsibilities above, and some data controllers are obliged to register annually with the Data Protection Commissioner, to make evident their data handling procedures.
How Data Controller ensure the responsibilities are carried out and organisations responsibilities
Data Controller must make himself aware of his responsibilities relating to Data Protection. Within organization, the staff should also be made aware of their responsibilities and appropriate induction training should be given. Internal data protection policy, relevant to the personal data held by the organisation can be put to place, available to the staff. Policy reflective to the elementary data protection rules, applied to the organisation. It can then be enforced through consistent reviews and management.
Data Processor is someone who processes data on behalf data controller. It does not include someone who is an employee of data controller and processed the data during his employment. It is rather a subsidiary company contacted by the data controller to manage or process data on its behalf, such as:
Data Protection Commissioner
Data Protection Commissioner is a sole person who enforces Data Protection Act and its compliance. He can investigate any complaints concerning data protection breech, develop codes of practice and maintains a register of data controllers.
There have been cases when supermarkets have passed on their customer’s data to other companies.
When using loyalty cards at supermarkets, we automatically let the company to gather the information about us without even thinking much of it. Usually to avail of the loyalty card a questionnaire or an application form needs to be filled, so we are passing on some of our personal details to the company, therefore become the Data Subject. The company now the Data Controller holds some of our information, and with the help of a loyalty card can continue gather information such as; log of purchases.
Coming to the point, there have been cases when consumers of a supermarket have been contacted by formula company, by e-mail, advertising and offering their product. Passing on personal information is considered a noncompliance with Data Protection Act.